How add loopback rules on iptables?

I think, for JIRA need loopback redirect fron 443 port to 8443 port

Our iptables config:

# Generated by iptables-save v1.4.21 on Mon Jan 16 15:05:07 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3552794:2931603166]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Jan 16 15:05:07 2017
# Generated by iptables-save v1.4.21 on Mon Jan 16 15:05:07 2017
*nat
:PREROUTING ACCEPT [61:8946]
:INPUT ACCEPT [78:4096]
:OUTPUT ACCEPT [26:1751]
:POSTROUTING ACCEPT [34:2231]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
-A OUTPUT -o lo -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
-A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
COMMIT
# Completed on Mon Jan 16 15:05:07 2017

 

I think, need add:

A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443

Right?

2 answers

1 accepted

1 votes
Volodymyr Krupach Community Champion Jan 20, 2017

First google gives me this (which looks fine for me):

iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 443 -j REDIRECT --to-ports 8443

I never did such routing so please update us if it works for you.

BTW: why do not you do it more common way by up-fronting JIRA/Confluence with nginx or apache. This looks more natural for me and works without any problem. Plus having SSLs under Tomcat looks kind weird for me.

  • PREROUTING: Packets will enter this chain before a routing decision is made.
  • INPUT: Packet is going to be locally delivered. It does not have anything to do with processes having an opened socket; local delivery is controlled by the "local-delivery" routing table: ip route show table local.
  • FORWARD: All packets that have been routed and were not for local delivery will traverse this chain.
  • OUTPUT: Packets sent from the machine itself will be visiting this chain.
  • POSTROUTING: Routing decision has been made. Packets enter this chain just before handing them off to the hardware.

correct rule

-A OUTPUT -o lo -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
0 votes

Um.  Why?

Maybe as said Atlassian Support?

May be:

Atlassian Support:

I have consulted my senior engineer regarding this issue and here is our findings & suggestion:

  1. Your port-forwarding rule is indeed working but it is only working for requests coming from outside the JIRA Server, for example, your work machine.
  2. However, the port-forwarding rule is not working when request is made from the JIRA server.
  3. We suspect that this is because the ip-tables configuration is not redirected the port 443 to port 8443 as JIRA is listening on port 8443.

 

I meant why are you using iptables really.

What need to use, open the secret, please?

I'm not sure.  I don't know what your requirements are.  Firewalls might be appropriate, but the better answer is usually a proxy.  Not always.  But it depends on what you're trying to do.

 

Nic, thanks for answer. but, we use port forwarding. And need use iptables.

That doesn't explain why you're using it.  I use port-forwarding too, but not iptables.

For port forwarding use rules IP and ports. So, iptables - best logic solution in Linux. And my question wasn't about what is better. Just what add in iptables for loopback redirect from 443 to 8443 port.

I think this 

A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443

but, i.m not sure
 

My problem here is that you've broken your system with inappropriate iptables rules, and you're now trying to fix it by adding more. 

I do not understand why you've done this.

Obviously, you don't understand computer networks. Don't write, please, if there is nothing to tell.
We have good warning system. My question is very clear. 

<sigh> That incorrect because I do know networks well enough to know what you've done wrong.  I am merely asking why you think this is a good way to do it, especially as you don't really understand what you're doing.  I am trying to work out the reasons behind it - I am sure you have a good one, it's just that I cannot work it out.

If you think about ours iptables or system are broken, that iptables in the topic and could tell what is broken. But, Atlassian Support has already answered us:

  1. Your port-forwarding rule is indeed working but it is only working for requests coming from outside the JIRA Server, for example, your work machine.
  2. However, the port-forwarding rule is not working when request is made from the JIRA server.
  3. We suspect that this is because the ip-tables configuration is not redirected the port 443 to port 8443 as JIRA is listening on port 8443.

As can you see - it is about the iptables. If you can answer my question - answer. And if not, then it isn't necessary to learn, what is better.

It's point 3 - that's an incorrect assumption, and shows that you don't know what you're doing with it.  Your iptables is blocking or forwarding local connections incorrectly.  Any easy check though - turn off iptables and check that it works ok without it.

Our company totals nearly 500 people. If this way has been chosen - means there are reasons. It is not the answer to my question.

Answer honestly: you know this rule or not?

 

And yes - you don't know, but for some reason write.

The iptables before you. You can tell what is with her not so. But you can't. Or answer a question, please. Or write nothing. Thanks!

 

Viktar you could use:

-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
-A PREROUTING -i lo -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 127.0.0.1:8443
-A OUTPUT -o lo -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443

-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
COMMIT

 

This should allow it to work externally and internally.

 

 

Suggest an answer

Log in or Join to answer
Community showcase
Teodora [Botron]
Published Thursday in Marketplace Apps

Jira Inferno: The Nine Circles of Jira Administration Hell

If you spend enough time as a Jira admin - whether you are managing a single, mid-sized instance, a large enterprise one or juggling multiple instances at once - you will eventually find yourself in ...

239 views 0 11
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot